Office 365 ADFS error "AADSTS50008: Unable to verify token signature."

14/06/2018 2 Comments Reading Time: 1 minute

office365-error-adfs-aadsts50008-01

Trying to access an Office 365 mailbox via browser, the system returned the ADFS error "AADSTS50008: Unable to verify token signature."

After entering the credentials in the Office 365 portal, the following error is displayed:

AADSTS50008: Unable to verify token signature. The signing key identifier does not match any valid registered keys.

office365-error-adfs-aadsts50008-02

Once confirmed that both ADFS and WAP services are up and running with no issues, the Certificates status in the AD FS console is reported as shown in the picture below. The Token-decrypting certificate has been updated with a recent date.

office365-error-adfs-aadsts50008-03

To fix this issue, I found a great post at Robin CM's IT Blog with the correct PowerShell commands to run. Open the PowerShell console and type the following command to connect to Azure Active Directory:

PS C:\ Connect-MsolService -Credential (Get-Credential)

Enter your Office 365 admin credentials and click OK.

office365-error-adfs-aadsts50008-04

Now type the following command to specify the server on which AD FS is running:

PS C:\ Set-MsolADFSContext -Computer w12r2-adfs01.nolabnoparty.local

office365-error-adfs-aadsts50008-05

Since the certificate has changed in AD FS, you need to run the following command to update the new token decryption certificate in Azure Active Directory:

PS C:\ Update-MsolFederatedDomain -DomainName nolabnoparty.com

office365-error-adfs-aadsts50008-06

After running the PowerShell commands, the Office 365 mailbox is accessible once again.

office365-error-adfs-aadsts50008-07

You may wait some minutes after entering the commands before being able to access the mailbox.

signature

Related Posts

About The Author

Paolo Valsecchi

System Engineer, VCP-DCV, VCP-DM, vExpert, VMCE, VMCA, Veeam Vanguard. Working experience focused on VMware vSphere, Microsoft Active Directory, and backup/DR solutions.

2 Comments

  1. Sascha Seipp 19/12/2018

    Dear Paolo, I found this entry on your blog only after the MS support helped us out. When changing our ADFS certificates last week, I did not use the MS documentation (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-o365-certs) - I didn't find that link at the time - but instead your blog post covering the topic: https://nolabnoparty.com/en/adfs-3-0-replace-ssl-certificate, which all in all was very helpful.
    I now realize it is a little older (from 2016, so I also can't comment on it any more), but maybe you could update it regarding this Update-MsolFederatedDomain part, so others won't have the same problem as me? 🙂

  2. Chris-Robin Heimdal 12/03/2020

    it worked! Thanks!